[mirror_edk2.git] / BaseTools / Source / Python / Pkcs7Sign / Readme.md

# Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure\r
\r
This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates.\r
\r
## How to generate a self-signed X.509 certificate chain via OPENSSL\r
* Set OPENSSL environment.\r
\r
NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.\r
\r
    set OPENSSL_HOME=c:\home\openssl\openssl-[version]\r
    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf\r
\r
When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).\r
\r
The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.\r
\r
    [ CA_default ]\r
        dir = ./demoCA              # Where everything is kept\r
\r
You may need the following steps for initialization:\r
\r
    rd ./demoCA /S/Q\r
    mkdir ./demoCA\r
    echo "" > ./demoCA/index.txt\r
    echo 01 > ./demoCA/serial\r
    mkdir ./demoCA/newcerts\r
\r
* Generate the certificate chain:\r
\r
NOTE: User MUST set a UNIQUE "Common Name" on the different certificate\r
\r
1) Generate the Root Pair:\r
\r
Generate a root key:\r
\r
    openssl genrsa -aes256 -out TestRoot.key 2048\r
\r
Generate a self-signed root certificate:\r
\r
    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt\r
    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER\r
    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem\r
\r
2) Generate the Intermediate Pair:\r
\r
Generate the intermediate key:\r
\r
    openssl genrsa -aes256 -out TestSub.key 2048\r
\r
Generate the intermediate certificate:\r
\r
    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr\r
    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key\r
    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER\r
    openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem\r
\r
3) Generate User Key Pair for Data Signing:\r
\r
Generate User key:\r
\r
    openssl genrsa -aes256 -out TestCert.key 2048\r
\r
Generate User certificate:\r
\r
    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr\r
    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`\r
    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER\r
    openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem\r
\r
Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample.\r
\r
    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt\r
    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem\r
\r
* Verify Data Signing & Verification with new X.509 Certificate Chain\r
\r
1) Sign a Binary File to generate a detached PKCS7 signature:\r
\r
    openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin\r
\r
2) Verify PKCS7 Signature of a Binary File:\r
\r
    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin\r
\r
Commit	Line	Data
fdaf7842 JY	1	# Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure\r
	2	\r
	3	This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates.\r
	4	\r
	5	## How to generate a self-signed X.509 certificate chain via OPENSSL\r
	6	* Set OPENSSL environment.\r
	7	\r
	8	NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.\r
	9	\r
	10	set OPENSSL_HOME=c:\home\openssl\openssl-[version]\r
	11	set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf\r
	12	\r
	13	When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).\r
	14	\r
	15	The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.\r
	16	\r
	17	[ CA_default ]\r
	18	dir = ./demoCA # Where everything is kept\r
	19	\r
	20	You may need the following steps for initialization:\r
	21	\r
	22	rd ./demoCA /S/Q\r
	23	mkdir ./demoCA\r
	24	echo "" > ./demoCA/index.txt\r
	25	echo 01 > ./demoCA/serial\r
	26	mkdir ./demoCA/newcerts\r
	27	\r
	28	* Generate the certificate chain:\r
	29	\r
	30	NOTE: User MUST set a UNIQUE "Common Name" on the different certificate\r
	31	\r
	32	1) Generate the Root Pair:\r
	33	\r
	34	Generate a root key:\r
	35	\r
	36	openssl genrsa -aes256 -out TestRoot.key 2048\r
	37	\r
	38	Generate a self-signed root certificate:\r
	39	\r
	40	openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt\r
	41	openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER\r
	42	openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem\r
	43	\r
	44	2) Generate the Intermediate Pair:\r
	45	\r
	46	Generate the intermediate key:\r
	47	\r
	48	openssl genrsa -aes256 -out TestSub.key 2048\r
	49	\r
	50	Generate the intermediate certificate:\r
	51	\r
	52	openssl req -new -days 3650 -key TestSub.key -out TestSub.csr\r
	53	openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key\r
	54	openssl x509 -in TestSub.crt -out TestSub.cer -outform DER\r
	55	openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem\r
	56	\r
	57	3) Generate User Key Pair for Data Signing:\r
	58	\r
	59	Generate User key:\r
	60	\r
	61	openssl genrsa -aes256 -out TestCert.key 2048\r
	62	\r
	63	Generate User certificate:\r
	64	\r
65	openssl req -new -days 3650 -key TestCert.key -out TestCert.csr\r
66	openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`\r
67	openssl x509 -in TestCert.crt -out TestCert.cer -outform DER\r
68	openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem\r
69	\r
70	Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample.\r
71	\r
72	openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt\r
73	openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem\r
74	\r
75	* Verify Data Signing & Verification with new X.509 Certificate Chain\r
76	\r
77	1) Sign a Binary File to generate a detached PKCS7 signature:\r
78	\r
79	openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin\r
80	\r
81	2) Verify PKCS7 Signature of a Binary File:\r
82	\r
83	openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin\r
84	\r